security/codeql¶
Runs GitHub CodeQL static analysis (init + autobuild + analyze) for a single language.
Usage¶
- uses: wphillipmoore/standard-actions/actions/security/codeql@develop
with:
language: python
queries: "+security-extended"
Inputs¶
| Name | Required | Default | Description |
|---|---|---|---|
language |
Yes | — | CodeQL language to analyze (e.g. python, javascript, go, java). |
queries |
No | +security-extended |
Query suite to run. |
Permissions¶
security-events: write(required for uploading SARIF results)contents: read
Behavior¶
- Initialize CodeQL — Uses
github/codeql-action/init@v4to set up the CodeQL database for the specified language and query suite. - Autobuild — Uses
github/codeql-action/autobuild@v4to automatically detect and build the project. - Run analysis — Uses
github/codeql-action/analyze@v4to perform the analysis and upload results. Results are categorized by/language:<language>.
Examples¶
Python CodeQL analysis¶
jobs:
codeql:
name: "security: codeql"
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v6
- uses: wphillipmoore/standard-actions/actions/security/codeql@develop
with:
language: python
Go CodeQL analysis¶
GitHub configuration¶
- GitHub Advanced Security (GHAS) — Must be enabled on the repository for SARIF upload to work. For public repositories, GHAS is available by default. For private repositories, a GHAS license is required.
- Code scanning alerts — Results appear in the repository's Security > Code scanning alerts tab.